Is portscanning legal? was Re: application for an employment

["Chavoux Luyt" <chavoux () gmail com>]

Hi guys!

It seems as if the original question for employment advice has been
answered already and instead changed to a discussion on the legality
of port-scanning...


> From: "Ramsdell, Scott" <sramsdell () stinsonmoheck com>
<snip>
> Craig Wright has tried exhaustively to clear this issue up.
>
> David Gillett provided an excellent "throw a rock at a window to see if
> it's open" analogy.
>
> Hans (sorry, deleted the email and don't have the last name) suggested
> the misunderstanding on this thread is a difference in societal customs
> and norms.
>
> All very good points and well made.
Hans also mentioned it as different viewpoints starting from a
technical or a legal point of view. I think there is also another
difference: people who see the Internet largely as the Web (www) vs.
people who see the Internet as a worldwide internet (a public network
of networks) including much more than the web and email. It seems as
if the first group think in terms of specific client programs
(browsers, e-mail clients etc.), while the second group thinks in
terms of typical "server" applications (for want of a better word)
like search bots, DNS servers, and various network administration
tools. The first group see internet users mostly as "users" of the
(publicly) available information on the Net while the second groups
see internet "users" more as peers sharing the same public network.
The first group thinks mostly at a higher level of client applications
while the second group thinks at the lower level of networking and how
it works.

> My family's businesses have one door open to the public, the front door.
> It is clearly labeled as the front door of a publicly available
> business, and well understood by the US public to be the proper way to
> gain access to the publicly available goods inside.
But I also do business with our local Co-op and there I would normally
(if I wanted to buy lots of fencing or whatever) first enter through
the (open) back gate, park my pickup at the materials I wanted, then
go and enter via (one of) the open front doors (and if one was closed,
I'll try the other one), order and pay for the materials, then give
the invoice to one of the workers to take to the back and have them
load whatever I ordered. All of this would be perfectly legal.

I think that most of the different analogies used are not really
applicable. In the end it really comes down to copyright issues,
damaging systems, privacy and other real-world crimes/offenses being
committed using a computer.

<snip>
> From: Craig Wright [mailto:cwright () bdosyd com au]
> "A port scan is not
> punishable under the Penal Code. For an explanation, please refer to
> Chapter 4 of this manual" This means that the act is not to be treated
> as criminal. This does not make the act unactionable as a civil
> violation or and administrative offence. This is that it is still
> illegal, but only actionable if there is resultant damage.
>
> Again - illegal and criminal are not the same. Trying to treat them as
> such is wrong. Criminal is a subset of illegal. Illegal is the superset.
Thanks for the explanation. However, why would port scanning be
considered illegal since it is not a criminal offense? It doesn't
access any copyrighted material, it finds out what services another
computer on the Internet (public network) is willing to provide to my
computer (also connected to this same public network). It IS actually
a way of finding out what services are being advertised on that
server. Another way might be to do an e-mail search, or an ftp search,
or write my own search bot, or use one of the publicly available
search engines (e.g. yahoo or google). The obvious intent being to
find available information that I want or need or that interest me.

One example that I can think of is when a web site provides a link to
an email address that doesn't work. A port scan on the relevant server
could tell me if the mail server is down (and what alternative
services might be available on the server for contacting whoever I'm
looking for). FTP services are frequently available with no web links
to them. Instead of doing a time consuming  ftp search, a port scan
might tell me if ftp is available on a server where I would expect to
find the information I'm looking for. These are all legitimate and
legal uses of a port scanner as far I can tell.

<snip>
> From: "John E. Fleming" <John () parcassets com>
<snip>
> I like this idea of thinking. So if a bank leaves the vault open does
> that make it legal for me to load up as much cash as I can even though
> it may have been left open unintentionally? Or could it be that the door
> has not been left open intentionally therefore making it illegal and the
> proper authorities should be notified to fix the issue.
But, it is not seeing the open door that is wrong, it is stealing the
money. What are being stolen when you do a port scan? How would you
even know the door is open to let the proper authorities know, if you
did not happen to do a port scan? This is where the analogy fails
again, looking and seeing that the door is open is analogous to the
port scan... is this illegal?

Finding out which doors are open and which ones closed is something
that happens frequently at shops with more than one entrance
(sometimes, but not always, there is a helpful sign that says: "please
use the other door", or "door closed because of air conditioning,
please come in"). Both legitimate customer and thief are interested in
which doors are open and which ones are closed, the reasons are just
different.

<snip>
> On 2006-04-01 Craig Wright wrote:
> > If you port scan to find everything, how long does it take you to find
> > anything?
You won't normally port scan to find everything, but you might port
scan e.g. to find a service that has been "advertised" elsewhere as
being on the specific server.

> > Or are you stating that you are looking for other services that are
> > NOT public - such as SSH or Telnet which are not secured?
SSH is obviously not public, but what prevents a server from providing
a public archie Telnet service? Port scanning might once again be
helpful in finding them and should be legal AFAICT.

> > Are you looking for SMTP servers so that you can check if they have an
> > open relay? Are you looking for FTP servers that are not locked down
> > so that you can load files without permission?
The fact that no authentication is needed to download the files makes
it a public ftp server, no? If not, how do you tell the difference
between a public FTP server and a private FTP server on the Internet?

> > Looking for port 80 will not always find a web site (nor will it help
> > find information). A single IP address can have numerous sites that
> > are accessed using host headers - so knowing the IP may not allow
> > access to the site per se.
But it can tell me that no public web server is running on that
machine and that I waste my time looking for "advertised" information
on a web page on that specific server... I should look elsewhere.

> From: Bob Radvanovsky <rsradvan () unixworks net>
> Subject: Re: What is an illegal act
> How about over-simplifying it even further?  Let's use an example from the various >socialistic governments out 
> there, that under "normal circumstances", such an action would >NOT be considered "illegal" (say -- accessing the 
> Internet?).  Thus, an "illegal act" is any act >that the *government* deems as "illegal".  Let's keep "black" as 
> "black" rather than saying >that there's 255 shades of it.  ;))
<snip>
> From: Craig Wright [mailto:cwright () bdosyd com au]
> > Further in a civil case, the onus is on the defendant to show that
> > his/her action did not result in the damage.
> >
> > So lets take the case of port scanning. The server reboots and the
> > database on the server (bad idea I know to have WWW and DB on the same
> > system - but welcome to the real world) fails without a backup. A week
> > before the company who owned the server/database had an evaluation of
> > the worth of the IP on the database come in at $250,000 (not as large as
> > you may think for a corporate IP database valuation as it includes cost
> > to rebuild and recollate the data)
> >
> > In this case, the activity other than valid traffic at the time the
> > server reboots is your port scan. The company decides to prosecute. The
> > database in the US and your are in central Europe. Under the provisions
> > of the Cybercrime treaty the company who owns the server can do 1 of
> > several things,
> >       1       Criminal Damage - in either jurisdiction
> >       2       Action in Tort (negligence, trespass etc)
> >       3       Action in Common law (in the US) for will
> >       4       Violation of the patriot act - provisions for cyber
> > trespass etc.
> >
> > The company can choose the action and jurisdiction to best suit their
> > needs - not yours. If they have taken the action under a criminal
> > sanction in their jurisdiction, they may seek to extradite you. There is
> > not specific treaty for extradition needed - this is defined in the
> > Cybercrime convention. If you are in a country that has ratified (all
> > members of the EC included) this, than you have no way of stopping this
> > other than to prove that you have not caused the damage.
Here, the port scanning has caused a server reboot and damage... but
would the exact same danger not also be there if I use a mass
downloader to download from the web site and cause the server reboot?
Why would the port scan traffic be considered not "valid traffic"? And
if I used the client programs one after the other (e.g. try to telnet,
then ftp, or from a web browser connecting to different ports (e.g.
http://www.xyz.net:81, http://www.xyz.net:82, etc)), would that also
be illegal?

All in all, I think that portscanning has many legitimate uses. It is
simply a network tool. It can be used for illegal purposes in the same
way google can be used for illegal purposes. That doesn't make it
illegal.

Cheers
Chavoux

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------